Privacy Policy

This privacy policy informs you about the type, scope and purpose of the processing of personal data for which STATE Experience Science GmbH ("STATE") is responsible within the meaning of the EU General Data Protection Regulation ("GDPR").
Insofar as the terms "we", "us", "our" or comparable references are also used in the following text, this refers solely to STATE.

In addition to the possibility of contacting us by post, you can also contact us at any time by e-mail at hello@futurescanvas.com.

STATE Experience Science GmbH
Schönstedtstr. 7
12043 Berlin, Germany

Since our offer generally falls within the scope of the GDPR, we have aligned our privacy policy with the provisions of the GDPR. In individual cases, other local data protection laws may (additionally) apply, for example if you are not based in the EU or the European Economic Area and visit our websites or other online presences or otherwise access our offers and services from outside the EU or outside the European Economic Area.

We have organized the following information on the typical processing of personal data by data subject group. In addition, we may also process personal data that only concerns specific groups, in which case the respective data subject groups will be informed separately about the processing of their personal data in this regard. Where the term "data" is used in the following text, this is for simplification purposes and refers solely to personal data within the meaning of the GDPR.

I. Visitors to our websites

1. Log data

Each time you visit our website, we automatically collect information from the accessing computer system, which the browser used on your device automatically sends to the server of our website. This data is stored and processed on our server.

The data processed in this way is log data that is processed for technical reasons when the website is accessed via the Hypertext Transfer Protocol (Secure): This includes the IP address of the system accessing our websites, the browser type and version used, the operating system used, the Internet service provider of the system accessing our websites, the page accessed in each case and the website previously visited (including the website of third parties previously visited) and the date and time of the respective access to our websites. Such data is also collected on the servers of service providers, e.g. when accessing and using third-party content accessed via our websites.

By processing the above log data, we ensure the functionality of the website. The data is processed for the purpose of establishing the technical connection between the end device you are using and our websites and providing the website content you have accessed and for the purpose of optimizing and securing our websites and IT systems, as well as for troubleshooting and improving the functionality of our websites and managing cookies.

The legal basis for the processing is Article 6(1)(f) GDPR; our legitimate interest is the availability and operation of a website and the exchange with our business and communication partners as well as the fulfillment of internal compliance requirements.

The recipients of the personal data are IT service providers that we use as part of an order processing agreement. We also use service providers by way of order processing for the provision of services, in particular for the provision, maintenance and servicing of IT systems.

IP addresses are stored anonymously. Log data is deleted after 30 days at the latest.

Without the disclosure of personal data such as the IP address, it is not possible to use our website for technical reasons.

2. External hosting

Our websites are hosted by the external service provider Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen ("Hoster").

The personal data collected on our websites is stored on the Host's servers. This may include, in particular, log data in accordance with Section I.1, contact requests, meta and communication data, contract data, contact data and other data that is usually generated via a website. In some cases, it may be necessary for the hoster to use third-party service providers to provide its services.

The purpose of using the hoster is to provide our websites and to fulfill the contract with our contractual partners, in particular with our customers and the users of our services.

The legal basis is Article 6(1)(b) GDPR (a contract or its initiation) and Article 6(1)(f) GDPR, our legitimate interest in the secure, fast and efficient provision of our websites by a professional provider. The hoster will only process your data to the extent necessary to fulfill its performance obligations and follow our instructions with regard to this data. In this respect, the hoster acts as our processor within the framework of an order processing agreement.

The storage period depends on the respective data types, about which we provide information below. The deletion periods specified there apply accordingly to our hoster.

3. Shopify

We use the e-commerce platform of Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify") to book our products and process payments. The purpose of using Shopify is the (also technical) provision of our services and their user-friendliness, in particular the underlying information technology infrastructure, i.e. the operation and provision of information systems and technical devices (computers, servers, etc.), as well as to analyze errors and determine any necessary security measures.
In this context, in addition to log data in accordance with Section I.1, personal master data such as name and address data as well as contact data (e.g. e-mail address and telephone number), order or booking data (the ordered goods or booked services, including date and time of the order or booking) regarding the use of our services as well as payment and account data including payment confirmations and contract master data, in particular data from the ordering of products and/or from the use of our services or the fulfillment of our contractual obligations are processed.
The purpose of processing the data is to initiate and execute the contractual relationship. This also includes, in particular, the execution of product bookings and the provision of services in connection with the booking of our products and/or services and/or in connection with the organization of competitions. There are no plans to change these purposes.

The legal basis for processing the data of our contractual partners is Article 6(1)(b) GDPR (a contract and its initiation) and Article 6(1)(c) GDPR (legal obligations) and Article 6(1)(f) GDPR; our legitimate interest is the provision of our services that is as error-free and secure as possible.

We have concluded an order processing contract with Shopify on the basis of Article 28 GDPR. The transfer and processing of personal data by Shopify is carried out in accordance with the respective order processing contracts. As part of Shopify's aforementioned services, data may also be transferred to Shopify Inc, 150 Elgin St, Ottawa, ON K2P 1L4, Canada as part of further processing on behalf of Shopify. In the case of the transfer of data to Shopify in Canada, an adequate level of data protection is guaranteed on the basis of an adequacy decision by the European Commission pursuant to Article 45 (3) GDPR. In some cases, it may be necessary for Shopify to use third-party service providers in the United States of America to provide its state-of-the-art services - including to defend against so-called DoS and DDoS attacks (Denial-of-Service or Distributed Denial-of-Service). Further information on Shopify's data protection: https://www.shopify.com/legal/privacy.

The storage period depends on the respective data types about which we inform you with this privacy policy. The deletion periods specified there apply to Shopify accordingly.

4. Cookies

We use technically necessary cookies on our website. Cookies are small text files with information that can be stored on the user's end device via the browser when visiting a website. Cookies often contain characteristic character strings that enable the browser to be uniquely identified when the website is called up again. We use processing and storage functions of the browser of your end device and collect information from the memory of the browser of your end device.

The purpose of technically necessary cookies is to ensure the basic functionality and usability of the websites, to increase the IT security of our websites in accordance with the state of the art and to technically provide information and ordering options and, in particular, the necessary shopping cart functions and to process user decisions about cookies (consent or opt-out). Technically necessary cookies are used to process data such as shopping cart content.

The legal basis for the use of technically necessary cookies is Article 6(1)(b) GDPR (the user contract for visiting our websites) and Section 25(2)(2) TTDSG and Article 6(1)(f) GDPR; our legitimate interest is the offer and presentation of our products and services and ensuring the functionality of the websites, including the shopping cart function.

Cookies that are intended to ensure IT security - provided they are not so-called "session cookies", i.e. cookies that are deleted at the end of your browser session - are usually deleted within 14 days at the latest, otherwise cookies are deleted after one year at the latest.

You can also generally deactivate cookies in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions, in particular the shopping cart and ordering functions of our websites, may not work or may no longer work properly if you generally deactivate cookies in your browser. Without technically necessary cookies, it is not technically possible to use the shopping cart and order functions in particular.

5. Matomo

We use the web analysis tool "Matomo", an open source tool for web analysis. Matomo serves the needs-based design of our websites and enables us to analyze the use of our websites by our visitors, in particular we can use Matomo to display those areas of our services in the form of so-called heat maps in which the greatest (or even the least) activity can be determined in order to analyze the use of our websites, also so that we can further improve our services and adapt them to the needs of our visitors.

Matomo is used on our websites without the use of cookies, in this respect the recognition of returning users is based on a so-called "digital fingerprint", which is stored anonymously and changed every 24 hours. It is not possible to draw conclusions about the identity of individual users. The legal basis for the processing of the data collected in this way is Art. 6 para. 1 lit. f) GDPR, our legitimate interest is the improvement of our performance and service offer, Further information on data protection at Matomo can be found at: https://matomo.org/privacy/.

II. Customers

We process your data for the purpose of initiating and implementing the contractual relationship. This also and in particular includes the execution of bookings of our products and/or services and the provision of services in connection with the booking of products and/or services (e.g. licenses to hold a competition or the placement of experts) and/or in connection with the holding of competitions (hereinafter also referred to as "services"). There are no plans to change these purposes.

The processed data includes personal master data such as name and address data as well as contact data (e.g. e-mail address and telephone number), order or booking data (the services ordered or booked, including the date and time of the order or booking) relating to the use of our services as well as payment and account data including payment confirmations and contract master data, in particular data from the ordering of products and/or from the use of our services or the fulfillment of our contractual obligations.

Recipients of data may also be third parties, in particular Shopify as well as IT and payment service providers and banks. In individual cases and where necessary, data may also be transferred to debt collection service providers, lawyers and courts. We also use service providers by way of order processing for the provision of services. We have concluded a data processing agreement with each of our processors on the basis of Article 28 GDPR. The transfer and processing of personal data by our processors is carried out in accordance with the respective data processing agreements.

The legal basis for the processing of our customers' data is Article 6(1)(b) GDPR (contract) and Article 6(1)(c) GDPR (legal obligations) and Article 6(1)(f) GDPR; our legitimate interest is the needs-based provision of our services and the design of our range of products, bookings and services to meet the needs of our customers. The legal basis for the transfer of payment data to payment service providers is Article 6(1)(f) GDPR, our legitimate interest in the processing of payments by a payment service provider.

All contract and booking-related data is stored in accordance with the retention periods under tax and commercial law for a period of currently up to ten calendar years after the end of the contract.

The provision of data is both legally and contractually mandatory for customers. A contractual relationship cannot be established and executed without the provision of data.

III. Participants in surveys and ideation competitions ("challenges")

Participation in surveys and ideation competitions ("Challenge(s)") organized by us or by our customers is voluntary. If you participate in Challenges, we process your data for the purpose of conducting Challenges and evaluating the respective results.

The processed data includes - in addition to the log data according to section I.1 - the name (if provided), the e-mail address (if provided), the content of the respective Challenge, in particular the answers, contributions, ideas and other information and content (hereinafter jointly referred to as "Challenge Content") transmitted or submitted by you in the context of participation in surveys and competitions, your ratings of Challenge Content, the timestamp of participation, the technical metadata of participation and the hashed IP address.

You provide your name, your e-mail address and the Challenge Content voluntarily and yourself when you participate in the respective Challenge. The other data is automatically transmitted by your browser. Participation in challenges is also possible without providing your name and e-mail address. If you provide your e-mail address as part of a challenge, you may receive notifications about the further course of the respective challenge from the organizer of the respective challenge.

The legal basis for the processing of data for the implementation and evaluation of challenges is Article 6(1)(a) GDPR, your consent. If you regularly take part in challenges, the legal basis for data processing is Article 6(1)(b) GDPR (a contract). We may also process your data in our legitimate interest, which consists in particular of coordinating and improving our products, services and the needs of customers; in this respect, the legal basis for data processing is Article 6 (1) (f) GDPR. The legal basis for the processing (mostly already aggregated data) for the purpose of evaluating challenges is also Article 6 (1) (f) GDPR; our legitimate interest is to analyse and evaluate the challenge content and evaluations of challenge content and to prepare it in a needs-based manner for us and/or our customers, in particular to categorize, aggregate and visualize it. The legal basis for the storage of your data - insofar as it could be relevant for certain legal disputes - is Article 6 (1) (f) GDPR; our legitimate interest is to defend ourselves against possible claims.
If we carry out challenges for our customers, the data will be evaluated and processed by us in accordance with the respective purpose of the challenge, which is explained by our customers in the description of the respective challenge, in particular categorized, aggregated and, if necessary The legal basis for this transfer of data as part of the challenge evaluation is Article 6(1)(f) GDPR; our legitimate interest is to analyse and evaluate the challenge content and to prepare it in a needs-based manner for us and/or our customers, in particular to categorize, aggregate and visualize it. If you voluntarily provide a name and/or your e-mail address as part of your participation in a challenge, this data will also be transmitted to our customers as part of the challenge evaluation; the legal basis in this respect is Article 6 para. 1 lit. a) GDPR.

Unless we need to retain your data for follow-up questions or to fulfill our statutory retention obligations, the data relating to challenges will generally be deleted no later than one year after the end of a challenge. Data that becomes relevant for the defense against possible claims is stored for three years (statutory limitation period). If you have provided your e-mail address as part of a challenge and are no longer interested in the further progress of the respective challenge, you can unsubscribe from the e-mails at any time using the unsubscribe button in the e-mails. The hashed IP address is stored for the duration of a challenge.
We use service providers within the framework of an order processing agreement as processors for the implementation and evaluation of challenges and for the provision, care and maintenance of IT systems. Data is transferred to the USA if we use the software of the service providers listed below.

OpenAI

We use an application programming interface (API) of OpenAI OpCo, LLC at 3180 18th Street, San Francisco, CA, USA ("OpenAI") to classify, (editorially) correct, summarize, aggregate and visualize challenge content, i.e. answers, contributions, ideas and other information or content submitted by participants to challenges, as well as ratings of challenge content for the evaluation and analysis of challenges.

The data processed by OpenAI is the challenge content and ratings of challenge content submitted by participants as part of their participation in surveys and competitions.

The transmission and submission of challenge content and evaluations of challenge content is voluntary; as far as challenge content entered by you in text fields is concerned, you alone decide on the form, scope and content of the challenge content transmitted or submitted in this way. Insofar as the Challenge Content and assessments of Challenge Content submitted by you in the context of Challenges do not allow any conclusions to be drawn about your person, OpenAI will not collect or process any personal data in this respect.

The recipient of the challenge content is OpenAI, which we use as a processor within the framework of an order processing agreement. OpenAI also processes the data in the USA, among other places. In the opinion of the European Court of Justice, there is no adequate level of data protection in the USA that fully complies with the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. Enforcement of your rights in the USA is probably only possible to a limited extent. OpenAI is bound by the EU standard contractual clauses so that the data may only be processed for our purposes. The data processing agreement, including the EU standard contractual clauses, is available at https://openai.com/policies/data-processing-addendum. Further information on data protection at OpenAI: https://openai.com/policies/eu-privacy-policy. Insofar as personal data is collected or processed, the legal basis for the processing of data in the USA is your consent pursuant to Article 49(1)(a) GDPR, which you declare by voluntarily submitting or transmitting challenge content. You can revoke your consent at any time with effect for the future.

IV. Communication partners

When you contact us - e.g. via our contact form, by email, letter or telephone - we collect all the information you provide, which regularly includes personal data.

The purpose of the processing is to prepare and execute a contractual relationship and/or other communication, including checking and responding to any inquiries you send us.

The data processed by us includes, in particular, names, contact details, all communication content, timestamps of the communication and technical metadata of the communication.

The legal basis for the processing of personal data is Article 6(1)(c) GDPR (legal obligations, in particular tax and commercial law regulations), as well as Article 6(1)(b) GDPR (a contract or contract initiation) in the case of contracts with natural persons and Article 6(1)(f) GDPR in the case of contracts with legal persons; our legitimate interest is communication with contact persons relevant to the contract. In all other cases of communication, the legal basis is Article 6(1)(f) GDPR; our legitimate interest is to respond to inquiries addressed to us and to document communication processes.

Contact and contract data may be transmitted to other service providers, business partners as well as offices and authorities if this is necessary for the execution of a contract or order. We also use service providers by way of order processing for the provision of technical services, in particular for the provision, maintenance and servicing of IT systems.

Data from contractual partners and service providers will be deleted no later than ten (10) calendar years after the end of the contractual relationship with the respective partner or service provider.

It may be necessary to process the contact data of service providers and business partners in order to execute a contract or order. If the data required for communication is not provided, communication may be significantly disrupted.

V. Newsletter subscribers

We send newsletters to provide you with information about our websites or about the progress of challenges in which you have participated. We also monitor the reach and success of the newsletter.

If we have an existing contractual relationship (e.g. terms of use or other general terms and conditions) with you and you have not objected, we may send you information about our products and services and about the progress of challenges in which you have participated. In these cases, we process your data for the purpose of sending the newsletter. The data processed in this way are name, email address, log data as defined in Section I.1, pseudonymized identifiers such as external IDs or hashed email addresses, opening and reading times of the newsletter.

If you have subscribed to a newsletter, the legal basis for processing the data is Art. 6 para. 1 lit. a) GDPR (your consent). In the case of an existing contractual relationship and provided you have not objected, the legal basis for the processing of the data is Article 6 (1) (b), (f) GDPR, Section 7 UWG, our legitimate interest is to keep you informed about our products and services or about the progress of challenges in which you have participated. We may also process the data on the basis of our legitimate interest in improving our newsletters, checking the distribution lists and showing you more relevant content; the legal basis in this respect is also Article 6(1)(f) GDPR.

You provide the contact data yourself when you enter into a contractual relationship with us or subscribe to the newsletter; the other analysis data is automatically transmitted by the browser or the end device you use and, if applicable, the email client you use.

We use service providers within the framework of an order processing agreement as processors for the provision and improvement of services, in particular for the provision, maintenance and care of IT systems, in particular "Mailchimp", a newsletter service of Intuit Inc ("Intuit"). Intuit is certified under the "EU-U.S. Data Privacy Framework", for which the European Commission adopted the adequacy decision on July 10, 2023. In addition, we have concluded an order processing agreement with Intuit, which also includes the EU standard contractual clauses.

Newsletter data will be deleted if you unsubscribe from the newsletters (e.g. via the unsubscribe button in a newsletter). The data will be deleted or anonymized after one year, unless we are obliged to store the data for legitimate interests (e.g. inquiries) or to comply with our statutory retention obligations.

Data is required to receive newsletters. Newsletters cannot be sent without the provision of data. You can withdraw your consent with effect for the future at any time. Please use the unsubscribe function in the newsletter itself.

VI. Visitors to our social media pages

We have pages operated by us on the so-called social media platforms ("social media pages"). The social media pages are operated by third-party service providers who process data for the provision of such pages.

The data processed is content and usage data on the social media pages, in particular data relating to the interaction of visitors with our social media pages and data that visitors to our social media pages share with us.
The purpose of data processing on our social media pages is to offer visitors interesting content and to interact with them on the social media platforms. Depending on the social media platform, the usage data may also be analyzed in order to improve our own presence on the respective social media app.

The legal basis for the processing of data by us is Article 6(1)(f) GDPR; our legitimate interest is the analysis of usage data to improve our respective social media site.

Information and data that is displayed or shared on our social media pages may be accessible to the respective provider of the social media platform, its users and us or other service providers commissioned by us. Further details and additional information on data processing on the respective social media sites can be found below and in the privacy policy of the respective social media platform linked there:

1. LinkedIn

We and LinkedIn - for users in the EU or the European Economic Area, LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn") are jointly responsible for the processing of personal data via our social media page on the LinkedIn social media app. The joint controllership agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. According to this agreement, LinkedIn is responsible for informing the data subjects about the processing activities. LinkedIn's privacy policy is available at: https://linkedin.com/legal/privacy-policy.

2. Facebook and Instagram (Meta)

We and Facebook - for users in the EU or the European Economic Area, Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland ("Meta") - are jointly responsible for the processing of data via our social media pages on the social media platforms Facebook and Instagram. The joint controllership agreement is available at: https://www.facebook.com/legal/terms/page_controller_addendum.

According to this agreement, Facebook is responsible for informing the data subjects about the processing activities. The privacy policy for social media pages on the Facebook social media platform is available at: https://www.facebook.com/privacy/explanation, the privacy policy for social media pages for the Instagram social media platform is available at: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect .

3. x (formerly Twitter)

We are responsible for the social media site operated by us on the social media platform X (formerly Twitter) of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland ("Twitter"). For users in the EU or the European Economic Area, the supplementary data protection agreement between Twitter and us applies, available at: https://gdpr.twitter.com/en/controller-to-controller-transfers.html. Twitter's privacy policy is available at: https://twitter.com/en/privacy.

4. YouTube

Google - Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland - is responsible for the collection and processing of data via the social media site operated by us on the YouTube social media platform. Google Ireland Limited uses Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA as a service provider (Google Ireland Limited and Google LLC are jointly referred to as "Google"). We are not aware of any further details of the processing of personal data in the area of Google's data control or possible data processing in the USA. We have no influence on data processing by Google. You can find out more about the processing of personal data by Google in Google's privacy policy at: https://policies.google.com/privacy.

VII. Rights of the data subjects

We do not use any automated individual decision-making processes without your prior consent.

You have the right to request information about all personal data that we process about you at any time.

If your personal data is incorrect or incomplete, you have the right to rectification and completion.

You can request the deletion of your personal data at any time, unless we are legally obliged or entitled to continue processing your data.

If the legal requirements are met, you can request that the processing of your personal data be restricted.

You have the right to object to the processing if the data processing is carried out for the purpose of direct advertising or profiling.

If the processing is based on a balancing of interests, you can object to the processing by stating reasons that arise from your particular situation.
If the data processing takes place on the basis of your consent or as part of a contract, you have the right to transfer the data you have provided, provided that this does not affect the rights and freedoms of other persons.

If we process your data on the basis of a declaration of consent, you have the right to withdraw this consent at any time with effect for the future. The processing carried out prior to a revocation remains unaffected by the revocation.

You also have the right to lodge a complaint with a data protection supervisory authority at any time if you are of the opinion that data processing has taken place in breach of applicable law.